This Privacy Policy explains how Servino-S collects, uses, stores, and protects the personal data of its users, in full compliance with the UK GDPR, EU GDPR (Regulation (EU) 2016/679), and other applicable data protection legislation.
1. About This Policy
This Privacy Policy applies to Servino-S -- a multi-platform business management application available on iOS, Android, and the Web (the "App", the "Service", "Servino-S"). It sets out how we, as the data controller, collect, use, share, retain, and protect personal data, and explains the rights available to you under data protection law.
By creating an account with Servino-S or using any of its features, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you should not use the Service.
References to "we", "us", or "our" mean the legal entity operating Servino-S. References to "you" or "your" mean any individual whose personal data is processed by us -- including subscribers, business owners, workers, customers, and suppliers whose data is stored in the App.
2. Data Controller
The data controller responsible for your personal data is:
| Product Name | Servino-S |
|---|---|
| Legal Entity | AUM PVT LTD, UK |
| Company Number | 12535225 |
| Privacy Contact | info@servino-s.com |
| Website | https://aumpvtltd.com/ and https://theservino.com/ |
If you have any questions about this Policy or wish to exercise your rights, please contact us using the details above.
3. What Personal Data We Collect
We collect personal data in the categories described below. We only collect data that is necessary and proportionate for the purposes described in Section 4.
3.1 Account and User Registration Data
When you register for Servino-S, we collect:
- Full name
- Email address (used as your primary login identifier)
- Password (stored as a one-way bcrypt hash -- we never store plain-text passwords)
- Mobile telephone number (optional -- used for SMS one-time passwords)
- Google account details, if you register via Google OAuth (name, email, profile picture as provided by Google)
3.2 Business Profile Data
When you create a business within the App, we collect:
- Business name, email address, and telephone number(s)
- Business postal address (address lines, city, country, postcode)
- Company registration number and registering authority (optional)
- Business logo (uploaded image)
- Website URL, Facebook page URL, Instagram profile URL (all optional)
- VAT or tax reference numbers (optional)
- Default document notes for quotations, invoices, and work orders
3.3 Partner Data (Customers, Workers, and Suppliers)
When you add contacts to your business, we collect information about:
- Customers: Full name or business name, email address, mobile number, postal address
- Workers: Full name, email address, mobile number, postal address, default pay rate and unit of measure
- Suppliers: Full name or business name, email address, mobile number, postal address
Important: You are responsible for ensuring you have an appropriate legal basis for entering third-party personal data (such as your customers' and workers' data) into Servino-S. You act as a data controller in respect of that data, and we act as a data processor on your behalf. Please refer to Section 13 for further details on our processor responsibilities.
3.4 Sales and Financial Document Data
As part of the quotation, work order, and invoice management features, we process:
- Customer names, addresses, and contact details as they appear on documents
- Worker names and email addresses as assigned to work orders
- Item descriptions, quantities, prices, discounts, tax rates, and totals
- Document status, dates, and reference numbers
- Payment amounts, due dates, and payment history
3.5 Expense and Mileage Data
When you use the Expenses module, we collect:
- Mileage records: vehicle registration number, start and end addresses, postcodes, start and end date/time, total distance travelled, and unit of measure
- GPS/location data: precise geographic coordinates collected via your device's location services when you use the GPS tracking feature in the Mileage Recording module. Location data is used solely to calculate your route distance and is not used for any other purpose
- Supplier invoice details: supplier information, invoice amounts, payment status, expense categories, and notes
- Other expense records: expense type, date, amount, and free-text notes
3.6 Technical and Usage Data
We automatically collect certain technical data when you use the Service:
- IP address and device identifiers
- Device type, operating system, and browser type
- App version and platform (iOS, Android, Web)
- Authentication tokens (Firebase/JWT -- not permanently stored in a readable form)
- Log data: API request timestamps, error reports (via Sentry), and uptime monitoring data
- Offline sync queue data: temporarily stored in a local SQLite database on your mobile device until synced to our servers
3.7 Communications Data
If you contact us for support or via email, we will collect your name, email address, and the content of your communication.
4. How and Why We Use Your Personal Data
We process personal data only where we have a lawful basis to do so under Article 6 of the UK/EU GDPR. The table below summarises our purposes and the corresponding legal bases.
| Purpose of Processing | Personal Data Used | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Account creation and authentication | Name, email, password, mobile number, Google profile | Art. 6(1)(b) -- Performance of a contract |
| Providing core business management features (quotations, work orders, invoices, expenses) | All partner, item, financial, and mileage data | Art. 6(1)(b) -- Performance of a contract |
| GPS-based mileage tracking | Precise location coordinates, vehicle registration | Art. 6(1)(a) -- Consent (permission requested at device level) |
| Sending transactional emails and document notifications | Email address, document content | Art. 6(1)(b) -- Performance of a contract |
| Providing offline data storage and synchronisation | All operational data, offline sync queue | Art. 6(1)(b) -- Performance of a contract |
| Analytics dashboards and financial reporting | Aggregated financial data scoped to your business | Art. 6(1)(b) -- Performance of a contract |
| Security: preventing fraud, account lockout, intrusion detection | IP address, login attempts, authentication tokens | Art. 6(1)(f) -- Legitimate interests |
| Technical monitoring, error tracking, uptime monitoring | Log data, IP addresses, error reports | Art. 6(1)(f) -- Legitimate interests |
| Responding to support requests | Name, email, communication content | Art. 6(1)(f) -- Legitimate interests |
| Legal and regulatory compliance | Any data required by applicable law | Art. 6(1)(c) -- Legal obligation |
| Subscription and billing management (future feature) | Name, email, billing details | Art. 6(1)(b) -- Performance of a contract |
Where we rely on legitimate interests (Article 6(1)(f)), we have conducted a balancing test and are satisfied that our interests do not override your fundamental rights and freedoms. You may request a copy of our legitimate interests assessment by contacting us.
5. Location Data and GPS Tracking
The Servino-S mobile application includes a GPS-based mileage tracking feature that records your location when you tap "Start Tracking" and stops recording when you tap "Stop Tracking". This feature:
- Requires your explicit consent via your device's operating system permission dialogue before location data is accessed
- Is used solely to calculate the distance between your start and end points for business mileage records
- Does not continuously monitor your location in the background when not actively tracking a journey
- Stores only the start address, end address, and total distance -- precise GPS coordinates are not permanently stored on our servers after the journey calculation is complete
- Is not available on the Web portal; it is a mobile-only feature
You may revoke location permissions at any time through your device settings. Revoking this permission will disable GPS-based mileage tracking, but you can continue to enter mileage data manually.
6. Data Sharing and Third-Party Processors
We do not sell, rent, or trade your personal data to any third party for marketing purposes. We share data only in the limited circumstances set out below.
6.1 Sub-Processors
We engage the following trusted third-party service providers (sub-processors) to help us deliver the Service. Each has been assessed for GDPR compliance and is bound by contractual data processing obligations:
| Service Provider | Service | Data Shared | Location |
|---|---|---|---|
| Google Firebase | User authentication, OAuth sign-in, access tokens | Email, name (OAuth), auth tokens | EU / USA (SCCs) |
| Hostinger VPS | Application hosting and database (MySQL) | All application data | EU (Lithuania) |
| SendGrid (planned) | Transactional email delivery | Email address, document attachments | USA (SCCs) |
| WhatsApp Business API (plan.) | Document sharing notifications | Phone number, document links | USA (SCCs) |
| Stripe / Razorpay (planned) | Subscription payment processing | Name, email, billing info | USA / India (SCCs) |
| Sentry | Error monitoring and crash reporting | Log data, device info, anonymised stack traces | USA (SCCs) |
| Uptime Robot | Availability monitoring | Server IP, response time (no personal data) | USA |
| GitHub Actions (CI/CD) | Deployment pipeline | Source code only -- no personal data | USA (SCCs) |
| Redis / Celery | Background task processing (self-hosted on VPS) | Temporary task queues | EU (Hostinger VPS) |
6.2 Legal Disclosures
We may disclose your personal data to competent authorities, regulators, law enforcement agencies, or courts if we are under a legal obligation to do so, or if necessary to protect the vital interests of a person, or in connection with legal proceedings.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our business assets, your personal data may be transferred to the acquiring entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.
7. International Data Transfers
Some of our sub-processors are located outside the United Kingdom and the European Economic Area (EEA), including in the United States. Where we transfer personal data internationally, we ensure appropriate safeguards are in place to protect your data to the same standard as it is protected within the UK/EEA. The safeguards we rely upon include:
- Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA)
- Adequacy decisions made by the UK Government or European Commission for recipient countries
You may request further information about the specific safeguards in place for any particular transfer by contacting us at the address in Section 2.
8. How Long We Keep Your Data
We retain personal data only for as long as is necessary to fulfil the purpose for which it was collected, or to comply with legal, regulatory, or contractual obligations. The retention periods below represent our standard practice:
| Category of Data | Retention Period | Reason |
|---|---|---|
| Account data (name, email, mobile) | Duration of account + 2 years after account deletion | Legal obligation and resolution of disputes |
| Business profile data | Duration of active subscription + 2 years | Legal and tax record requirements |
| Customer, Worker, and Supplier data | Duration of account + 2 years after account deletion | Contractual and legitimate business records |
| Financial documents (invoices, quotations, work orders) | 7 years from document date | Legal/tax obligation (HMRC -- UK, or equivalent) |
| Expense and mileage records | 7 years from date of entry | Tax and HMRC mileage compliance requirements |
| GPS/location coordinates | Deleted immediately after route calculation | Data minimisation (GDPR Art. 5(1)(e)) |
| Technical/log data | 90 days on a rolling basis | Security monitoring and debugging |
| Backups | 30 days (automated daily backups) | Business continuity |
| Support communications | 3 years | Legitimate interests (dispute resolution) |
After the applicable retention period expires, we securely delete or anonymise personal data so that it can no longer be attributed to any individual.
9. How We Protect Your Data
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration, or disclosure.
9.1 Technical Measures
- All data transmitted between the App and our servers is encrypted using HTTPS/TLS 1.2 or higher
- All data stored on our servers is encrypted at rest using AES-256 encryption
- Passwords are hashed using bcrypt with a minimum cost factor of 12 -- we never store passwords in plain text
- Authentication uses short-lived JWT access tokens (15-minute expiry) combined with 7-day rotating refresh tokens via Firebase
- Multi-factor authentication (MFA) via SMS one-time passwords is available and recommended
- Account lockout after 5 consecutive failed login attempts, with unlock via verified email link
- SQL injection and common web application attacks are mitigated through parameterised queries and server-side input validation
- Multi-tenant data isolation: each business's data is logically separated using unique business identifiers -- no user can access another user's data
9.2 Organisational Measures
- Access to production systems is restricted to authorised personnel only
- Automated daily database backups with 30-day retention
- Continuous application monitoring via Sentry (error tracking) and Uptime Robot (availability monitoring)
- Regular review of sub-processor security practices
While we implement strong security measures, no system is completely immune from security risks. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law (within 72 hours of becoming aware of the breach).
10. Your Rights Under Data Protection Law
Under the UK GDPR and EU GDPR, you have the following rights in respect of your personal data. These rights apply to personal data we hold about you as a data subject in your own right (e.g. your account data). Where you have uploaded third-party data (e.g. your customers) into Servino-S, those individuals must exercise their rights with you as the data controller of that data.
| Your Right | What It Means | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | You may request a copy of all personal data we hold about you, along with information about how it is processed. | Submit a Subject Access Request (SAR) to privacy@servino-s.com. We will respond within one month. |
| Right to Rectification (Art. 16) | You may request correction of inaccurate or incomplete personal data. | Contact us by email or update data directly in the App settings. |
| Right to Erasure -- "Right to be Forgotten" (Art. 17) | You may request deletion of your personal data where there is no overriding legal basis for continued processing. | Email privacy@servino-s.com. Note: some data may be retained where required by law (e.g. financial records). |
| Right to Restriction of Processing (Art. 18) | You may ask us to temporarily suspend processing of your data -- for example, while accuracy is contested. | Email privacy@servino-s.com specifying the restriction requested. |
| Right to Data Portability (Art. 20) | You may request your data in a structured, machine-readable format (e.g. CSV/JSON) for transfer to another service. | Submit a portability request to privacy@servino-s.com. Data will be provided within one month. |
| Right to Object (Art. 21) | You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds. | Email privacy@servino-s.com stating the grounds for your objection. |
| Right to Withdraw Consent (Art. 7(3)) | Where processing is based on your consent (e.g. GPS location access), you may withdraw consent at any time without affecting the lawfulness of prior processing. | Revoke location permissions in your device settings, or contact us to withdraw any other consent-based processing. |
| Rights re: Automated Decisions (Art. 22) | You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. | Contact us if you believe you have been subject to such a decision. |
To exercise any of these rights, please contact us at privacy@servino-s.com. We will respond within one calendar month of receiving your request. We may need to verify your identity before processing your request. There is no charge for most requests, though we reserve the right to charge a reasonable fee or refuse requests that are manifestly unfounded or excessive.
If you are not satisfied with how we have handled your request, or with our data protection practices generally, you have the right to lodge a complaint with the relevant supervisory authority:
- United Kingdom: Information Commissioner's Office (ICO) -- www.ico.org.uk
- European Union: The data protection authority in your EU member state of habitual residence or place of work
11. Cookies and Local Storage
11.1 Web Portal Cookies
The Servino-S web portal may use cookies and similar tracking technologies to operate the Service. Cookies we use include:
| Cookie Name | Type | Purpose | Expiry |
|---|---|---|---|
| auth_token | Strictly Necessary | Maintains your authenticated session | Session / 7 days |
| csrf_token | Strictly Necessary | Protects against cross-site request forgery | Session |
| app_preferences | Functional | Stores UI preferences (language, theme) | 1 year |
| _ga, _gid (future) | Analytics | Anonymous usage analytics (if enabled in future) | 2 years / 24 hours |
We will obtain your consent before placing any non-essential cookies (e.g. analytics cookies). You may manage or disable cookies through your browser settings, though disabling essential cookies may impair the functionality of the web portal.
11.2 Mobile App Local Storage
The Servino-S mobile application uses a local SQLite database on your device to store operational data and an offline sync queue. This local database:
- Stores your business data locally to enable offline operation
- Assigns temporary local identifiers to records created offline (prefixed "LOCAL-"), which are replaced with permanent server IDs upon synchronisation
- Is protected by your device's built-in security (device encryption and access controls)
- Is not shared with any third party directly
12. Children's Privacy
Servino-S is a business management application intended solely for use by individuals aged 18 and over. We do not knowingly collect or process personal data from children under the age of 18. If we become aware that we have inadvertently collected personal data from a child under 18, we will delete it promptly.
If you believe that a child under 18 has provided us with personal data, please contact us immediately at privacy@servino-s.com.
13. Servino-S as a Data Processor
When you use Servino-S to store and manage data about your own customers, workers, and suppliers, you are acting as the data controller in respect of that third-party personal data. Servino-S acts as a data processor on your behalf, processing that data only in accordance with your instructions and this Policy.
As the data controller of your customers' and workers' data, you are responsible for:
- Ensuring you have a lawful basis for entering that personal data into Servino-S
- Providing those individuals with appropriate privacy notices about how their data is used
- Responding to any data subject rights requests made by those individuals
- Ensuring the accuracy and security of the data you enter
Our Data Processing Agreement (DPA), which governs the terms on which we process personal data on your behalf, is incorporated by reference into our Terms of Service. By using Servino-S, you agree to the terms of the DPA. A copy is available on request.
14. Automated Decision-Making and Profiling
Servino-S does not currently make any decisions about individuals that are based solely on automated processing and that produce legal or similarly significant effects. Our analytics and reporting features aggregate financial data for your own business insight -- they do not generate automated decisions about you or any third party.
If we introduce any automated decision-making in the future, we will update this Policy and implement appropriate safeguards.
15. Marketing Communications
We may send you occasional service-related communications (e.g. important updates about the Service, security notifications, or changes to this Policy). These are necessary for the performance of the contract and cannot be opted out of while you maintain an account.
Where we wish to send you marketing or promotional communications (e.g. new feature announcements, product updates), we will do so only with your prior consent and in accordance with the UK Privacy and Electronic Communications Regulations (PECR). You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, or by contacting us at privacy@servino-s.com.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, the services we offer, or applicable laws and regulations. When we make material changes, we will:
- Post the updated Policy on our website with a revised "Last Updated" date
- Notify you by email at the address associated with your account, or through an in-app notification, at least 30 days before the changes take effect
Your continued use of Servino-S after the effective date of the updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you should cease using the Service and delete your account.
The version history of this Privacy Policy is maintained internally. Previous versions are available on request.
17. Contact Us and Complaints
If you have any questions, concerns, or complaints about this Privacy Policy or about how we process your personal data, please contact our Data Protection representative:
| privacy@servino-s.com [placeholder] | |
| Post | [INSERT COMPANY NAME], [INSERT ADDRESS] |
| Subject line | Privacy / Data Protection Enquiry |
We will acknowledge your contact within 5 business days and aim to resolve all queries within one calendar month.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
| ICO Website | www.ico.org.uk |
|---|---|
| ICO Helpline | 0303 123 1113 |
| ICO Post | Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
If you are located in the European Union, you may additionally lodge a complaint with the data protection authority in your country of residence or place of work.
Glossary of Key Terms
| Term | Definition |
|---|---|
| Data Controller | The entity that determines the purposes and means of processing personal data. |
| Data Processor | An entity that processes personal data on behalf of a data controller. |
| Data Subject | The individual to whom personal data relates. |
| GDPR | General Data Protection Regulation -- EU Regulation 2016/679 (and UK GDPR as retained in UK law). |
| ICO | Information Commissioner's Office -- the UK's independent data protection regulator. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Processing | Any operation performed on personal data, including collection, storage, use, disclosure, or deletion. |
| SCCs | Standard Contractual Clauses -- EU-approved contractual mechanisms for international data transfers. |
| Sub-processor | A third party engaged by the data processor to assist in processing personal data. |
| UK GDPR | The UK's retained version of the EU GDPR, as amended by the Data Protection, Privacy and Electronic Communications Regulations 2019. |
© 2026 Servino-S. All rights reserved. | This document should be reviewed by a qualified legal professional before publication.